Configuring PIM Neighbor Filtering
Context
- Configure a valid neighbor address range to prevent unauthorized neighbors from connecting to the network or participating in DR election.
- Configure the switch to reject Hello messages without Generation IDs so that switch connects to normally working PIM neighbors.
- Enable the PIM neighbor check function to discard Join/Prune messages and Assert messages that are not sent from neighbors or send Join/Prune messages and Assert messages only to neighbors.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
- Run pim ipv6 neighbor-policy basic-acl6-number
The range of valid neighbor addresses is configured.
The switch will no longer receive Hello messages from IPv6 PIM neighbors whose IP addresses are not within the configured valid range. When the holdtime of Hello messages expires, the neighbor relationship between these IPv6 PIM devices and the switch will be terminated.
When configuring an ACL rule for the interface, use the permit parameter to configure the interface to accept only Hello messages with source addresses in a specified range. If no rule is configured in the ACL, the interface discards Hello messages from all source addresses.
- Run pim ipv6 require-genid
The device is configured to receive only Hello messages that contain Generation IDs.
- Run quit
The system exits from the interface view.
- Run pim-ipv6
The PIM-IPv6 view is displayed.
- Run neighbor-check { receive | send }
The PIM neighbor check function is enabled.